Overview
By default, any resource that resides in an AWS VPC cannot communicate with on-premises LSA networks. The centrally-managed AWS Cloud Connectivity offering, using site-to-site VPN connections, enables this communication.
Our architecture for this connectivity is detailed below:
To provide resiliency, we connect to AWS using two site-to-site VPN connections. For site-level fault tolerance, one connection originates in ITF, while the other originates in our LC data center. Each connection has two tunnels for redundancy.
These connections terminate in the us-east-1 region within AWS using a service called AWS Cloud WAN. AWS Cloud WAN has a few components. The first is a Core Network. This is where the connections from campus and AWS VPCs meet. They connect to the core network using Core Network Edge Attachments. When a customer requests that this connectivity be enabled in their AWS account, we will create a Core Network Edge Attachment in your VPC.
Note: While Cloud WAN does support cross-account VPC communication, this functionality is specifically disabled for customer VPCs. If you need to enable cross-account VPC communication for two or more of your AWS accounts, please reach out to the Cloud Team to discuss options.
Cost
ITS is centrally funding the VPN connections to campus. However, there are resources that get created to support this connection, and those resource costs are the responsibility of the customer. Customers are also responsible for charges that they incur for any data that traverses the connection.
Example:
You are a customer that uses this connectivity to reach a server on campus that resides in an LSA network. You are accessing it from a single AWS account and transfer 500GB of data over the course of a month using this offering.
Site-to-site VPN connections provided by ITS Enterprise Infrastructure - No cost
VPC Core Network Edge Attachment - 720 hours - $46.80 at $0.065/hour
Data Charges - 500GB - $45.00 at $0.09/GB
Total Estimated Charges - $91.80/month
Limitations
There is an issue caused by asymmetric routing when users on campus meet the following conditions:
- Their VPC is configured for Campus to Cloud Connectivity as outlined in this article, and...
- They are trying to access an AWS resource that resides in their VPC. This could be an EC2 instance, an RDS instance, etc., and...
- The resource they are trying to access has a public IP address fronting it (Elastic IP or dynamically assigned by AWS), and...
- The DNS name resolves to that public IP, or they are accessing it via that public IP directly
On campus, private routes takes precedence over the default internet route so traffic destined for a resource’s public IP will be delivered but will return traffic will go over the VPN tunnel and be dropped. We recommend using the private IPs assigned to your AWS VPC-based resources to connect from campus. Additionally, you can configure separate DNS records with hostmaster to manage the private and public IP addresses. You can also use CloudFront with your web-based applications to work around this limitation.
Requests
We encourage customers to meet with us prior to submitting a request to enable this connectivity in their AWS account. You can schedule time to speak with us.